Douglas,
DO> I do not speak for the other authors, but there was a discussion
DO> involving this issue that Dave Crocker had been addressing. It is my
DO> understanding this needs to change to reflect StartTLS is stronger but
DO> defines a different namespace which is why Dave indicates it does not
DO> authenticate the HELO domain.
So far, I do not see how that issue relates to Andrew's question. I
can imagine all sorts of possibilities, but would rather not guess.
Since Doug raised the issue, but separate from Andrew's question (and,
hence, the different subject line), the discussion of multiple host
authentication techniques produced a basic hole, with the possibility
that the authenticated identity could be different from the one
asserted in HELO. This is a dangerous hole, indeed.
The resolution is to use whatever domain is associated with the
authentication, rather than the one in the HELO.
And, yes, I do owe my co-authors some text. I'll take a break from
the beach, tomorrow, and see about writing it.
d/
--
Dave Crocker <mailto:dcrocker(_at_)brandenburg(_dot_)com>
Brandenburg InternetWorking <http://www.brandenburg.com>
Sunnyvale, CA USA <tel:+1.408.246.8253>, <fax:+1.866.358.5301>